Hello, and welcome back to my blog series on my experience utilizing the features and capabilities of the Flipper Zero for penetration testing. This week will be focused on the Sub-GHz feature, particularly focused on using this feature in order to emulate a garage door opener remote. While it may be a useful feature to have a separate remote for opening garage doors, especially if you have multiple garage doors, there are some serious security concerns that must be addressed. Luckily, repeat attacks are not possible with standard Flipper Zero hardware due to the nature of the implementation of rolling codes in garage door systems. Rolling codes are a system which essentially creates a unique key for each unique remote, and every time the remote is activated, there is an offset value that is increased. So, while it may be possible to listen to a signal given from a remote, when repeated it will fail as the unique combination of the key and offset cannot be incremented in a way that the garage door opener is expecting.
With more powerful software and/or hardware, it could certainly be possible to record the signal of the remote multiple times in order to discover the offset and make manual adjustments to the repeated signal so that the opener would accept it. Technically, even without scripts that accomplish this for you, it is possible to do this by observing repeated signals. A situation where this could be applicable is if you brought your vehicle into an unscrupulous garage where they have unrestricted access to your garage door opener. One silver lining with this though is due to the nature of rolling codes, pressing the remote several times to figure out the offset pattern for the rolling codes will desync the remote with the opener. That makes it simple to determine if someone was tampering with your garage door remote – if your remote suddenly does not work. Resetting the garage door opener will both allow you to restore service to your remote and disallow any former codes from working. To be safe, I would recommend taking garage door opener remotes with you when leaving your vehicle for unsupervised service.
There is another concern, and that is the fact that it is extremely simple to put garage door openers into a “learning mode” (the exact terminology differs on the manufacturer), and while in this mode, garage door openers are ready to set up new remotes. By setting a garage door opener into this mode, you can use your Flipper Zero to emulate a new remote and thus register a new key with the garage door opener. The concern here is that in the scenario where you may have a contractor working on your property, if they are given unmonitored access to your garage door opener, they can quickly and easily register a Flipper Zero as a new remote, which can then be used to enter your garage later.
In order to do this, you will need to both learn what security system your garage door is using. There are online resources located here for Chamberlain brand openers that will allow you to see which models are using which security system. They can vary by both manufacturer and models within a manufacturer, so be sure to match the same model number of the opener that you have. Different security systems can have different keys and different offsets, so it is important that the correct one is chosen.
The second (optional) preparatory step is that you may need a custom firmware for the Flipper Zero. The default firmware does not have all the security standards used for garage door openers, and depending on which your model uses, you may need to use custom firmware. Please note that custom firmware is not vetted by Flipper and be sure to do your due diligence by researching the custom firmware and examining the code base to be sure that your Flipper Zero is doing what you are expecting it to do. Be sure to perform backups in case the firmware fails to install if you need to perform a hard reset.
Once the preparatory steps are completed, as usual with the Flipper Zero, implementation is simple and straightforward. Simply navigate to the Sub-GHz menu on the Flipper Zero and select Add Manually. This is where the custom firmware comes into play – the stock options here may not cover the security standard you need for your opener. Select the security option you wish to go with, name it however you wish, and click save. Now, you can place the garage door opener into learning mode (consult the manual for your model to see the steps for this) and emulate the signal on the Flipper Zero. Just like that, your Flipper Zero has been registered as a legitimate remote control for the garage door opener. The danger here is that since this is not doing some type of replay, as this is a new key being added into the garage door opener, the attacker does not need to worry about desyncing other remotes. They could come back a year later and open the garage door, and if the owner never reset the garage door opener, the attacker would have access.
While researching ways to defend against this type of attack, I could not find much information online, as this does not seem to be a major concern for garage door opener manufacturers. There are two key steps that you can take to improve your security posture on this matter. The first would be when purchasing a garage door opener, opt for one that has cloud functionality. By having this functionality, you can get notifications on your smartphone whenever your garage door is opened or closed. So, if the garage door is opened at a time that you are not expecting or should not be possible, there may be malicious actors at play. The second method, which is simply a safe practice, is to reset your garage door opener after you are in a situation where people can have unrestricted access to it. It is not a common occurrence for contractors to constantly be in and out of your garage, so if you are in a rare circumstance where you need service with access to your garage, spend the 10 minutes to hop on a ladder and reset the garage door opener and re-register your existing remotes. This will completely prevent any kind of remotes registered maliciously to function, and if you’re worried about someone having unrestricted access to your remote, resetting your garage door opener will also address this.